Cybersecurity Practice #3: Access Management (small)

Modified on Wed, 14 Jun, 2023 at 12:38 PM

Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as you may use a name badge to identify yourself in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.


Sub-Practices for Small Organizations

User accounts enable organizations to control and monitor each user’s access to and activities on devices, EHRs, e-mail, and other third-party software systems. It is essential to protect user accounts to mitigate the risk of cyber threats. Your IT specialist should implement the security controls in Table 5 to manage user access of data, applications, and devices.

 

3.S.A

Basic Access Management

NIST FRAMEWORK REF:

PR.AT PR.AC-1, PR.AC-6,

PR.AC-4, PR.IP-11, PR.IP-1, PR.AC-7

            

Table 5. Security Controls Enabling Organizations to Manage User Access to Data

 

Security Control

Description

 

Establish a unique account for each user

Assign a separate user account to each user in your organization. Train and regularly remind users that they must never share their passwords. Require each user to create an account password that is different from the ones used for personal internet or e-mail access (e.g., Gmail, Yahoo, Facebook).

 

 

 

Limit the use of shared or generic accounts

The use of shared or generic accounts should be avoided. If shared accounts are required, train and regularly remind users that they must sign out upon completion of activity or whenever they leave the device, even for a moment. Passwords should be changed after each use.


Sharing accounts exposes organizations to greater vulnerabilities. For example, the complexity of updating passwords for multiple users on a shared account may result in a compromised password remaining active and allowing unauthorized access over an extended period of time.

 

Tailor access to the needs of each user

Tailor access for each user based on the user’s specific workplace requirements. Most users require access to common systems, such as e-mail and file servers. Implementing tailored access is usually called provisioning.


 

Security Control

Description

 

 

 

Terminate user access as soon as the user leaves the organization

When an employee leaves your organization, ensure that procedures are executed to terminate the employee’s access immediately. Prompt user termination prevents former employees from accessing patient data and other sensitive information after they have left the organization. This is very important for organizations that use cloud-based systems where access is based on credentials, rather than physical presence at a particular computer.


Similarly, if an employee changes jobs within the organization, it is important to terminate access related to the employee’s former position before granting access based on the requirements for the new position.

 

 

 

Provide role-based access

As user accounts are established, the accounts must be granted access to the organization’s computers and programs, as appropriate to each user.

Consider following the “minimum necessary” principle associated with the HIPAA Privacy Rule. Allow each user access only to the computers and programs required to accomplish that user’s job or role in the organization. This limits the organization’s exposure to unauthorized access, loss, and theft of data if the user’s identity or access is compromised.

Configure systems and endpoints with automatic lock and log-off

 

Configure systems and endpoints to automatically lock and log off users after a predetermined period of inactivity, such as 15 minutes.

 

Implement single sign-on

Implement single sign-on systems that automatically manage access to all software and tools once users have signed onto the network. Such systems allows the organization to centrally maintain and monitor access.

 

Implement MFA for the cloud

Implement MFA authentication for the cloud-based systems that your organization uses to store or process sensitive data, such as EHRs. MFA mitigates the risk of access by unauthorized users.

 

To monitor compliance with the practices listed in Table 5, implement access management procedures to track and monitor user access to computers and programs. These procedures will ensure the consistent provisioning and control of access throughout your organization. Examples of such standard operating procedures can be found in Appendix G of the Main document.


Threats Mitigated

  1. Ransomware attack
  2. Insider, accidental or intentional data loss
  3. Attacks against connected medical devices that may affect patient safety

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article